Re: Secure dynamic JS compilation under CSP from Tanvi Vyas on 2012-07-19 (public-webappsec@w3.org from July 2012)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Thu, 19 Jul 2012 11:55:26 -0700
To: Eric Chen <eric.chen@sv.cmu.edu>
CC: John J Barton <johnjbarton@johnjbarton.com>, public-webappsec@w3.org
Message-ID: <5008581E.6090209@mozilla.com>

In Firefox, we currently use "eval-script" as part of the options directive:
https://wiki.mozilla.org/Security/CSP/Specification#Directives

But we will be changing that soon to match the CSP 1.0 specification.

~Tanvi

On 7/19/12 10:54 AM, Eric Chen wrote:
> Hi John:
>
> On Thu, Jul 19, 2012 at 10:45 AM, John J Barton 
> <johnjbarton@johnjbarton.com <mailto:johnjbarton@johnjbarton.com>> wrote:
>
>     Hi. I was looking into converting my application to use CSP when I
>     learned that neither eval nor new Function() are allowed. I have a
>     large application that uses these features to compile JS at
>     runtime. I am wondering what alternatives are available.
>
>
> You can use 'unsafe-eval' to allow eval
>
>
> -- 
> -Eric
>

Received on Thursday, 19 July 2012 18:55:52 UTC